8. T-Mobile: $350 million
In July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around “unauthorized access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. In an SEC filing, it was revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.
“The company anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt out, against all defendants, including the company, its subsidiaries and affiliates, and its directors and officers,” the filing read. “The settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants. Class members consist of all individuals whose personal information was compromised in the breach, subject to certain exceptions set forth in the agreement. The company believes that terms of the proposed settlement are in line with other settlements of similar types of claims,” it added.
In November 2022, the Ireland Data Protection Commission (DPC) fined Meta $277 million (€265 million) for the compromise of 500 million users’ personal information. The DPC started its inquiry on April 14, 2021, following reports of a collated data set of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (“MPIL”) during the period between May 25, 2018, and September 2019. “The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” the DPC wrote. “The DPC examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept). There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.”